Unpatched Adobe ColdFusion Vulnerability behind Linode Hack

In our previous article, we have learnt about the four vulnerabilities in ColdFusion that allowed the hackers to bypass authentication and remotely hijack servers. However, Adobe has repaired these vulnerabilities with its hotfix or patch repairs.

This article discusses about how the unpatched Adobe ColdFusion vulnerability made Linode hack possible.

Linode, a leading VPS hosting provider released information about an intervention on one of its customer’s account it detected. The attack is believed to be possible through the extortion of unknown zero-day vulnerability in Adobe’s ColdFusion application server.

According to Linode, the Hack The Planet (HTP) hackers group has claimed the responsibility for breaching the identity of provider’s web servers, that allowed them to gleam few of its source code and databases. The vulnerabilities were lately only resolved in Adobe’s APSB13-10 hotfix, released earlier.

Linode’s founder and CEO, Christopher S. Aker pronounced in a post explaining the vulnerability, “Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure”

The database stores credit card numbers in an encrypted format using private and public key encryption. The private key itself is encrypted with passphrase encryption and this complex passphrase is not stored electronically. Along with the encrypted format of credit card numbers, the last four digits are saved in clear text to help in lookups and for displaying on areas like Account tab and payment receipt emails.

Also the passwords that are usually not stored in its databases were forced a reset of cryptographically hashed and salted.

An email was sent to the customers notifying this incident and they were recommended to change their Linode shell (LISH) passwords.

Christopher Aker also said that they corrected the issue immediately and revoked all the affected passwords. One can reset the LISH password under the Remote Access sub-tab in the Linode.

For customers who have set an API key, they took the action to expire the keys and sent an email with the following information.

“We take your trust and confidence in us very seriously, and we truly apologize for the inconvenience that these individuals caused,” Aker says. “Our entire team has been affected by this, leaving all of us, like you, feeling violated. We care deeply about the integrity of Linode and are proud of the work that we accomplish here for you. This unfortunate incident has only strengthened our commitment to you, our customer.”

It is advisable for Linode customers to change their passwords in case they have used their Linode passwords on any services other than Linode.

We, at ITLANDMARK, can help you get an expert support for any number of vulnerabilities with your website. You can submit the queries experiencing with your website on the contact form deployed on this page.